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Introduction 


Qualys Endpoint Detection and Response (EDR) solution actively focuses on endpoint activity to 
detect attacks. EDR expands the capabilities of the Qualys Cloud Platform to deliver threat 
hunting and remediation response. EDR detects suspicious activity, confirms the presence of 
known and unknown malware, and provides remediation responses for your assets. 


Qualys Multi-Vector EDR now includes integrated antimalware detection capabilities, providing 
additional real-time protection against the latest threats. Qualys EDR also expedites the 
inevitable convergence of Malware Protection software with EDR to deliver comprehensive 
protection against known and unknown threats. 


Since this active monitoring and data collection is in real-time, EDR requires constant inspection, 
scanning, and data collection. EDR mandates specific system requirements for hardware and 
software compatibility. 


This guide outlines the minimum hardware and software requirements for deploying EDR. 
Requirements might vary based on system utilization. We recommend that you carry outa 
performance pilot tryout before a full scale-out. 


System Requirements 


Software Requirements 


Incompatibility with other Security Software 


Qualys EDR is incompatible with other security EDR software. Running the Qualys EDR agent 
simultaneously with any other EDR security software on an asset might affect their operation 
and cause significant problems with the system performance. Before installing the Qualys EDR 
agent, you must uninstall any other existing EDR software. Qualys EDR will not be able to 
provide support if other EDR software is installed. 


Note: While Qualys offers its own Malware Protection, uninstall all other antimalware 
software if you are using malware protection capabilities by Qualys EDR. However, If you 
are not using the malware protection capabilities, Qualys EDR can still co-exist with other 
3rd party antimalware software. Running the malware protection capabilities with another 
antimalware software might result in undefined system behavior. 


Whitelist Requirements 


Qualys EDR can co-exist with other antimalware software. However, if you are using Qualys EDR 
with the Malware Protection capabilities enabled, admins must whitelist appropriate processes, 
internal tools, and other corporate applications so that our Malware Protection does not 
inadvertently block their functionalities. Failing to whitelist processes might affect your 
operations and cause problems with the application functionality. 


You can review the default AV configuration policy and make necessary changes based on your 


organizational requirements using the Configuration tab in the EDR module. For more 
information, refer to the online help. 
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For the malware protection, ensure that you whitelist the following domains: 
e  Cloudfront.net 
e  bitdefender.net 
e bitdefender.com 


If you are using Qualys Gateway Service (QGS), you can whitelist the domains using the Qualys 
Gateway Appliance Configuration. For more information, refer to the Qualys Gateway Service 
User Guide. 


Hardware Requirements 


Agents with EDR 


Disk Space 


Desktop 1124 MB (100 MB for agent + 1024 for EDR cache) 
Server 1124 MB (100 MB for agent + 1024 for EDR cache) 


Default Disk Cache: EDR is configured with a default disk cache of 1024 MB and can be 
configured using the Cloud Agent module. 


Traffic & connectivity: EDR is always connected to its backend services to post the event details 
continuously. By default, the agent connects to the backend services at an interval of 60 seconds 
or when the payload size is 1 MB. 

You can configure these settings from the Cloud Agent module. To configure these settings, 
navigate to the Cloud Agent module > Configuration Profiles. Open the profile you are using 
and navigate to the EDR step to configure these settings. 


Configuration Profile Edit Tum help fips: On| Off x 


Edit Mode Endpoint Detection and Respo nse 


General Info Enable EDR module for this profile 


Blackout Windows F 
Configuration 

These settings define operational setting for the agent 

Performance 


Assign Hosts 
g Max event log size* 102 KB(10 - 10240) 
Agent Scan Merge Payload size to transmit to platform 
VM Scan Interval Payload threshold time* secs(30 - 1800) 
Maximum time between EDR payloads sent to the server 
PC Scan Interval 


SCA Scan Interval Maximum disk usage for EDR Data* 1074 MB(500 - 5120) 


PM Enable Malware Protection for this Profile 


Maximum disk usage for EDR Data 
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Agents with EDR with Malware Protection Software 


The following disk space and memory 1s required for EDR with Malware Protection software. 


CPU Memory | Disk Space | 


Desktop - Intel® Pentium compatible multi-core 6 GB 3 GB 
processors, 2 GHz or faster 


Server - Intel® Pentium compatible multi-core 6 GB 3 GB 
processors, 2.4 GHZ 
- Intel® Xeon multi-core CPU, 1.86 GHz or faster 


Important 


Traffic for Desktop and Server: 15-25 GET requests per day 


Bandwidth requirements for Desktop and Server: 
o First tme download (agent installer and Malware Protection definition 
update) consumes 900 MB. 
6 Ue seu resuesis año even wees SMS. 
o Upgrade (once in 2 months) requires 300 MB. 


Supported Operating Systems for EDR 


Desktop Operating Systems (x86 and x64) 


e Windows 10 21H1 
e Windows 10 20H2 
e Windows 10 2004 
e Windows 10 1909 
e Windows 10 1903 
e Windows 10 1809 
e Windows 10 1803 
e Windows 10 1709 
e Windows 10 1703 
e Windows 10 1607 
e Windows 8.1 

e Windows 8 

e Windows 7 


Server Operating Systems 


e Windows Server 20H2 
e Windows Server 2004 
e Windows Server 2019 
e Windows Server 2016 
e Windows Server 2012 R2 
e Windows Server 2012 
e Windows Server 2008 R2 


EDR Onboarding Guide 6 


Supported Operating Systems for EDR with Malware Protection 
Capabilities 


Desktop Operating Systems 


e Windows 10 October 2020 Update (20H?) 

e Windows 10 May 2020 Update (20H1) 

e Windows 10 November 2019 Update (19H?) 

e Windows 10 May 2019 Update (19H1) 

e Windows 10 October 2018 Update (Redstone 5) 
e Windows 10 April 2018 Update (Redstone 4) 

e Windows 10 Fall Creators Update (Redstone 3) 
e Windows 10 Creators Update (Redstone 2) 

e Windows 10 Anniversary Update (Redstone 1) 
e Windows 10 November Update (Threshold 2) 
e Windows 10 

e Windows 8.1 

e Windows 8.0 


Server Operating Systems 


e Windows Server 2019 

e Windows Server 2019 Core 

e Windows Server 2016 

e Windows Server 2016 Core 

e Windows Server 2012 R2 

e Windows Server 2012 

e Windows Small Business Server (SBS) 2011 
e Windows Server 2008 R2 


System Resource Throttling 


Due to the nature of the problem that antimalware products solve and that they are real-time 
monitors, it is not a good practice to throttle these products. Throttling limits the product's 
ability to use the CPU, memory, disk I/O, and disk space. 


Systems can encounter occasional resource usage spikes on the CPU, memory, disk I/O, or 


bandwidth usage. While this is normal, Qualys is actively working on allowing you to set 
resource usage limits for the EDR product. 


Note: While you can configure the Agent performance for other Qualys products from the 
Agent Configuration profile, these performance settings do not apply to Qualys EDR. 
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Qualys EDR Onboarding Recommendations 


EDR detects suspicious activity, confirms the presence of known and unknown malware, and 
provides remediation responses for your assets. This active monitoring in real-time requires 
constant inspection, scanning, and data collection. 


Given the nature of the product, Qualys has put together a set of recommendations to onboard 
the EDR product. 


e Ensure the onboarding activities are carried out with the support of your TAM. This helps 
to escalate and take preventive measures in case of any 1ssues. 


e Perform a pilot tryout on a small set of assets. Select assets with varying software and 
hardware configurations for the pilot tryout. 


e On the assets selected for the pilot tryout, ensure the agent version is 4.5 or later. Refer to 
the Cloud Agent Windows Installation Guide for step-by-step instructions. 


e Ensure the EDR module is enabled on the Configuration Profile. After you have enabled 
the EDR module, you can enable the Malware Protection capabitlies. Refer to the Getting 
Started Guide or the Online Help for step-by-step instructions. 


Configuration Profile Edit Tum help tips: On| Off x 


Edit Mode Endpoint Detection and Response 


General Info Enable EDR module for this profile 
Blackout Windows Configuration 


These settings define operational setting for the agent 
Performance 


Assign Hosts 
g Max event log size* K8(10 - 10240) 
Agent Scan Merge Payload size to transmit to platform 
VM Scan Interval Payload threshold time* secs(30 - 1800) 
Maximum time between EDR payloads sent to the server 


PC Scan Interval 


Maximum disk usage for EDR Data* aee 
SCA Scan Interval MB(500 - 5120) 
Maximum disk usage for EDR Data 


EDR 


PM Enable Malware Protection for this Profile 


Note: While Qualys offers 1ts own Malware Protection, uninstall all other antimalware 
software 1f you are using malware protection capabilities by Qualys EDR. However, If you 
are not using the malware protection capabilities, Qualys EDR can still co-exist with other 
3rd party antimalware software 
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e Ifyou are a new Qualys customer, ensure that the agents do not self-patch (auto-update). 
To restrict agents from auto-updating, ensure that the Prevent auto updating of the 
agent binaries setting is selected for the Configuration Profiles in the Cloud Agent 
module. You can enable this setting after a successful pilot tryout. 


Configuration Profile Edit Tum help tips: On Of x 


Edit Mode Configure a profile for your agents 


General Info Customize agent behavior by defining a configuration profile. eet HELNE 


Blackout Windows Profile Name* 


EDR_EPP_ON_SP_OFF 
Performance 


O Make this the default profile for the subscription 
Assign Hosts 


O Suspend data collection for WM, PC, SCA and Inventory for all agents using this profile 
Agent Scan Merge 

VM Scan Interval Enter a description for this configuration profile. 

PC Scan Interval Description 

SCA Scan Interval 

EDR 


PM 


e Ifyou are an existing Qualys customer, create a new configuration profile for selected 
assets with the Prevent auto updating of the agent binaries setting disabled for the pilot 
tryout. This will automatically upgrade your Windows Agent on these assets to the latest 
version (4.5 or later). 


e Continuously monitor asset performance for following in-progress activities: 
— Agent deployment or version upgrade 
— EDR enablement on endpoints 
— Malware Protection software enablement on top of EDR on endpoints 
Things to monitor: 
— CPU utilization 
- Memory utilization 
- High I/O 
— Network bandwidth 
— Number of EDR events captured (Hunting tab of Qualys EDR UI). 


— Endpoint performance with other antivirus software, Qualys products, and other 
software (coexistence, slowness, system crashes, etc. must be monitored closely) 


e For the pilot tryout, monitor the assets for at least 1 to 2 business weeks. 


e Ifyou face issues during the pilot tryout, we recommend that you tune the 
configurations: 


— Increase CPU and memory if assets are underperforming. 
— Improve network bandwidth. 
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— Ifyou see an unnecessary or high volume of events on the UI, contact the Qualys 
Support team to tune the policy. 


e After a successful pilot tryout, when you are ready to deploy this across all assets, make 
sure you enable these assets in small batches. 


e Keep a considerable gap between onboarding two batches. This ensures that the 
bandwidth and CPU utilization are under control on end points. 


Here 1s a flowchart that summarizes the recommended onboarding process: 


Identify assets for the 
pilot tryout 


Upgrade hardware 


selected assets 
meet system 
requirements? 


Deploy Windows 
Agent & enable EDR 
or EDR+Malware 


Things to Monitor: Protection 
1. CPU Utilization 


2. Memory Utilization 

3. High O | Monitor assets for 1-2 |, 
4. Network Bandwidth business weeks 

5. No of EDR events 


captured 
6. End point performance Tune configurations: 
1. Increase CPU and memory if assets are underperforming. 
2. Improve network bandwidth. 
3. If you see unnecessary or high volume of events on the UI, contact 
the Qualys Support team to tune the policy 


/ Assets and EDR 
performance 
acceptable? y 


Deploy on all assets 
in small batches 
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